- From: Jacob Bednarz <jacob.bednarz@gmail.com>
- Date: Thu, 3 Mar 2016 09:31:52 +1100
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CAOiVBi7NAaqsgh=fHAT1_89ocfb3LWBTk2Jup=33faPTsMLc9w@mail.gmail.com>
Hi, Sorry to bring up an old topic but this has popped up again and I'm still without a viable solution. Here are some of my thoughts: - Adding all Google domains to a whitelist: There are alot and I don't really want every single domain in there due to the sheer number required. - Allowing all image traffic to be requested: This kind of defeats the purpose of why we set out in implementing a content security policy. - Proxying all Google traffic: While this sounds viable I'm wondering whether there will be any implications or consequences of doing this for our analytics or ads setup but I'm unable to test this reliably until it's in production which then becomes too late for our data if it ends up botched. Has anyone else had experience with this or have any ideas that differ from the above? Mike, do you have any insights from the Google side of things that might help here? Thanks! On Sat, Jan 10, 2015 at 5:11 AM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote: > * Jacob Bednarz wrote: > >I completely agree and to be honest I don't have any solutions that could > >be implemented within a CSP that wouldn't compromise the > >(intended) security or performance. The only thing I considered was > regular > >expressions but they would imposed a terrible performance overhead. > > It seems rather unlikely that they would. > -- > Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de > D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de > Available for hire in Berlin (early 2015) · http://www.websitedev.de/ >
Received on Wednesday, 2 March 2016 22:32:20 UTC